changelog

every release. signed, dated, attributable.

v0.16.4

today

FEATURE

+observability: agent run history at /agents/[id]/runs — paginated table with stop_reason / iterations / token usage / duration / status filters / date range
+observability: org-level metrics strip on /agents — runs/day chart, top agents by activity + error rate, last-30d totals
+observability: per-agent metrics strip in chat shell — last-7d runs, failure rate, p95 latency
+observability: CSV export of run history (RFC 4180; 50k row ceiling; filter params round-trip)
+observability: failure-rate webhook alert — emits audit.flagged when an agent crosses 20% failures over a 50-run window (deduped per agent per day)
+docs: customer guides for webhooks (event catalog, signing, retries, TS/Python/Go verifier snippets) and observability (metrics catalog, API reference, Slack-bridge example)

v0.16.3

today

FEATURE

+webhooks: outbound subscriptions for org events — deployment.created/failed, agent_run.completed/failed, scim.user_*, admin_action.recorded, audit.flagged
+webhooks: /settings/webhooks dashboard with one-time-show signing secret, delivery log viewer, redeliver button
+webhooks: delivery worker with exponential backoff (1m / 5m / 25m / 2h / 12h / 24h), auto-disable at 50 consecutive failures, SSRF guard at delivery time
+scim 2.0: Groups + Bulk + filter grammar (eq/sw/co/pr/and/or)
+scim 2.0: Group → stech-role mapping with precedence + no-downgrade for unmapped users
+cli: bootstrap script + walkthrough for registering gh as a per-user OAuth CLI source
+ops: scripts/cleanup-fly-leaked-ips.ts (releases IPs leaked by the pre-fix allocateIpAddress retry bug)
+ops: scripts/repair-drizzle-journal.ts (realigns __drizzle_migrations when its hashes have drifted from current files)

v0.16.2

today

FIX

+runtime: disable Bun.serve 10s idle timeout that was killing long agent SSE streams
+api: rewrite magic-link email URL so the link lands at app.stech.com/auth/verify (was 404ing on api host)
+api: encrypt sso_providers oidc clientSecret at rest (AES-256-GCM via SecretsCrypto, sso-v1 prefix)
+infra: docker-compose runs drizzle migrations as a one-shot service before app boot

v0.16.1

today

FIX

+cli: build-define quoting bug — every release v0.4–v0.16.0 shipped VERSION as the literal string `"vX.Y.Z"` (with embedded quotes), which broke parseVersion / isNewer and trapped users on whatever release they first installed (`stech update` always reported `already at latest`)
+existing users on pre-v0.16.1 binaries must do a one-time manual reinstall via the install script

v0.16.0

today

FEATURE

+sso: SAML / OIDC sign-in via @better-auth/sso (Okta, Entra, Auth0, Google Workspace)
+sso: /settings/sso dashboard for org admins (paste IdP metadata XML or OIDC issuer URL)
+scim 2.0: /scim/v2/Users core endpoints + per-org bearer tokens + audit log (org_scim_tokens, scim_event_log)
+api: per-user OAuth delegation for CLI tool sources — each user connects their own gh / kubectl / aws credentials at /settings/cli-credentials
+runtime: tightened fe80::/10 SSRF regex in cli-bootstrap (rejects fe[89ab] short-form impostors)

v0.15.1

today

FIX

+cli: `stech update` verifies binary version matches cache before short-circuiting to "already at latest"
+cli: unified non-echoing promptSecret across auth / secrets / cli add (no plaintext echoes on token prompts)

v0.15.0

today

FEATURE

+cli: BYO CLI tool sources — register any CLI binary via URL + sha + extract path (no central registry)
+app: /settings/cli-sources free-form add/edit form with hashes auto-computed via /v1/cli-sources/compute-sha
+runtime: cli-bootstrap fetches + verifies + installs declared CLI binaries at agent boot, defended by validate-time hostname blocklist + DNS-resolution-time guard + redirect:"manual"
+cli: `stech cli add --url --sha --extract-path --compute-sha` flags

v0.14.0

today

FEATURE

// full git history at github.com/Art-of-Technology/stech.com